High-profile security breaches, such as Target and Wipro, underscore the importance of properly securing vendor access. Yet today’s vendor access processes can be unwieldy, costly, and often ineffective. How can vendor access be handled in an efficient, streamlined way, without putting critical assets at risk?
Read this paper to discover:
Key trends and challenges affecting vendor access
Common vendor access pitfalls to avoid
The seven steps you need to follow in order to secure your business
Overview
Vendor access encompasses the process of enabling vendors, suppliers, partners, and other third-parties to access their clients’ applications, data, and services. Securing vendor access enables outside firms to safely interact with exactly the resources they need, without compromising security.
Most companies today have a network of vendors with which they must work in order to meet their business goals. Vendors can help businesses manage areas like human resources or marketing, provide technical assistance, play a key role in the supply chain, and more. Yet the ability of vendors to access an organizations’ systems – while helpful – can also pose a huge security risk. Moreover, vendor access processes are often difficult to set up and even harder to maintain.
As businesses grow and become more dispersed, the problem of securely and easily managing vendor access is growing. That’s why it’s important to understand the key trends affecting vendor access, as well as a framework for designing a secure vendor access strategy.
Is Digital Transformation To Blame?
Digital transformation is a common buzzword these days. Yet the reality is that those companies that want to succeed, need to expand their digital assets and automate and outsource increasingly large numbers of processes. Essentially, digital transformation is radically changing how modern companies operate.
As a part of this movement, companies are increasingly dependent on outside firms to get things done. This can create a cost-effective environment in which processes get accomplished more efficiently, by people with the appropriate expertise, in a timely manner.
At the same time, digital supply chains have emerged as a major cybersecurity risk. Users, devices, applications, networks, and data across multiple organizations are interconnected by a complex mesh of process and technology. This environment is difficult to develop, maintain, and keep secure.
Along with vast digital supply chains, digital transformation has also driven the adoption of Cloud and SaaS applications. More often than not, no single control point can manage vendor access in this growing footprint of applications, data, and services. IT and security are scrambling to keep up with an expanding attack surface. Meanwhile, third parties account for over half of all data breaches.
Why Is Vendor Access So Hard?
In most organizations, vendor access includes some combination of vendor assessments, VPN for access control, and log collection, either from the VPN server or an Active Directory system.
This environment creates five key issues:
Lack of Control – A single flat network with VPN access does not provide granular controls to prevent a single compromised vendor from accessing resources outside the scope of their responsibilities.
Poor Visibility – Once vendors have access to resources (such as applications, data, and services), there is no ongoing monitoring of their activity on those resources.
Little Accountability – Vendors and clients do not share equal responsibility and accountability for security. Compliance checklists are often rubber-stamped and forgotten.
Technical Complexity – Proper implementation of vendor access requires too many products and too much automation to get it right. The technical implementation alone is an integration nightmare.
Process Complexity – Despite ticketing and workflow tooling, vendor access often comes down to back-and-forth over email between vendors and multiple client teams to determine which resources need to be exposed and how. Process complexity can add weeks to vendor onboarding times.
A secure vendor access program must address these challenges.
The 7 As of Securing Vendor Access
It is with these challenges in mind that we have laid out the seven essential elements of a secure vendor access program. As you read, please keep in mind that IT and security teams must have a strategy for each one of these items. In order to help you develop that strategy, we have ensured that each subsection describes not only the element on which to focus, but also options to address it.
1. Assessments
How does your organization assess vendor risk before onboarding and continuously thereafter?
Assessments are the centerpiece of IT Vendor Risk Management (VRM). While spreadsheets and checklists can be cumbersome for both vendors and clients, they help measure vendor risk. A vendor access program should start (but not end!) with a vendor assessment.
Vendor assessments can cover a wide range of dimensions. In this section, we’ll go over three aspects to consider as part of a vendor access strategy, but be aware that there can be many more steps involved.
Industry Regulations
Every industry has rules and regulations to manage. Complying with relevant regulations should be table stakes for doing business. For this reason, part of every vendor assessment should include verification of compliance for the appropriate industry regulations.
Security Assessments
Companies must adopt a security standard by which to measure vendor security posture. Standards such as NIST 800-53 or NIST 800-17 can serve as a starting point for developing a comprehensive vendor security assessment.
A vendor access program can also require vendors to present a compliance certification from an outside auditing firm against a specific standard, such as SOC2. Additionally, automated security assessments can augment more traditional assessments. For example, you can use tools like those provided by BitSight and SecurityScorecard for vendor security scoring metrics that can help compare your security posture to the relative security posture of multiple vendors.
Personnel Assessments
In conjunction with assessing the vendor as a company, a vendor access program can include assessments of individual personnel at the vendor who might interact with sensitive resources. Personnel assessments range from a simple background check to in-depth security training and testing.
2. Authentication and Identity
How does your organization authenticate vendor access and manage identity?
Understanding identity and authentication is a critical element of vendor access. Access to resources, such as applications and networks, are predicated on authentication.
Several strategies are possible for managing vendor identity:
Create a single account – In its least secure form, a company can create a single account for all users at a particular vendor and then share that account and any credentials with the vendor.
Create a variety of accounts – A better approach might be to create a different account for each user from the vendor and to again share the credentials with those users.
Create privileged accounts – Companies can develop privileged accounts for any resources that require outside access. However, rather than sharing those privileged credentials, businesses can store them in a password vault (or a PAM solution) and rotate the passwords regularly, only granting temporary access to the passwords to authenticated users from the vendor.
Set up a separate domain – Setting up a separate domain within the identity provider specifically for the vendor is an approach some take. You would then have to create accounts within that domain.
Allow vendor identity management – Finally, the vendor itself could manage identity. In that case, the organization would configure all applications or other resources which the vendor needs to access, trusting the vendor’s identity provider via federated identity. You could use a service like Okta or ADFS to handle this process.
Once the source of truth for identity is selected, the vendor access program should also dictate the allowed authentication mechanisms (for example, Multi-Factor Authentication, aka MFA).
Beyond users themselves, a vendor might also require machine-to-machine (M2M) access into an application or system. In this case, the organization might still use password credentials for authentication, or rely on PKI, a private key pair, or even an API token to authenticate the M2M connection.
3. Access Control
How does your organization authorize and control access to resources?
Authorization determines the rules for which users or identities can access what resources and how. These rules can take the form of groups, roles, privileges, permissions, personas, or profiles.
Each application might use a different concept for how an authenticated user or identity should map to a set of rules within that application. For instance, some applications might allow mapping from a “group,” which is stored with the identity of the user, to a “role,” which determines a set of permissions within a particular application.
Access control is the enforcement mechanism for authorization. It often limits the extent to which authorization rules can be implemented. Any vendor access strategy must involve at least one form of access control, if not more. Some organizations even deploy a multi-layered approach to access control.
Ready to hear more? Let’s check out a few options for controlling vendor access.
Network Access Control
VPN systems tied to LDAP or RADIUS are a common form of network access control. Before vendors can connect to an application, they must connect to the VPN, and before connecting, the vendor must authenticate. Unfortunately, most VPN implementations provide vendors with access to a flat network where they can easily access unrelated applications.
The alternative is to configure a unique VPN profile per vendor to limit this exposure.
Application Access Control
Whereas VPN is an accepted standard for Network Access Control, Application Access Control is much more fragmented. Authentication mechanisms, such as SAML and OAuth, make it easier to unify authentication and identity across multiple applications. That said, granular application authorization rules are still application-specific. For example, each application might have a different set of “roles” to configure.
Privileged Access Management
To unify authorization across multiple applications, some businesses utilize Privileged Access Management (PAM). PAM replaces the need to reconfigure multiple applications whenever a new vendor comes along. Instead, PAM systems create privileged accounts on systems or applications and then strictly control access to the credentials for those accounts. This approach to access control is especially crucial in legacy environments.
Zero Trust Network Access
The newest approach to access control is called Zero Trust Network Access (ZTNA). ZTNA collapses the three previous approaches, and ties access more closely to identity.
In general, ZTNA relies on a zero-trust gateway that sits between vendors and the applications they need to access. The gateway verifies the identity of the user and the posture of their device.
Once verified, the gateway looks up the granular access rules for that particular user and will proxy connections to that application. This approach requires both a mechanism to assess endpoint security posture on uncontrolled vendor endpoints, and a tight integration between the gateway and the backend applications.
4. Activity Monitoring
How does your organization track vendor activity?
Once a vendor can access the systems and applications they need, their activity should be monitored and recorded.
Basic activity monitoring might involve log collection from authentication servers (such as Active Directory logs) and any access control points (such as VPN servers).
A more sophisticated activity monitoring strategy would examine per-session activity for a particular vendor and would also include application-level logs.
In its most extreme form, session recording tools can record exactly what a vendor is doing, with the option to replay that information later in the event of an incident. Achieving this level of monitoring might require setting up a jumpbox to serve as the single point of entry for the vendor and a point at which all session recording takes place.
5. Analysis, Alerts, and Reporting
How does your organization analyze vendor activity over time?
Logging vendor activity alone is not enough for a robust vendor access program. Vendor activity must also be analyzed to create actionable intelligence.
Running analytics on vendors might require forwarding vendor activity logs to a Security Incident and Event Management (SIEM) system for analysis. Alternately, it could involve complex integration and automation of collection, processing, analysis, and reporting activities.
Behavior Anomalies
One goal of analysis is detecting unusual or anomalous vendor behavior that might signal a compromised vendor. This type of analysis requires a baseline to understand what normal behavior is for a particular vendor and then a continuous comparison of real-time activity against that baseline.
Vendor behavior baseline activities can include, for example:
Time of day
Location
Systems accessed
Data transferred
Which users are authenticating
In addition to identifying unusual activity, behavior analysis can also help an organization generate reports to understand which vendors are most active in the environment and longer-term trends about which vendors are engaging more or less over time. Vendors with infrequent access could transition to an on-demand access model rather than a permanent one.
Risk Analysis
Another goal for analysis should be understanding vendor risk. By examining which systems a vendor might access and combining this information with the security posture of that vendor, a complete analysis can generate a quantitative risk score for the vendor. When it comes time to review vendor assessments, risk scoring can help prioritize the vendors that pose the highest risk.
6. Auditing and Reporting
How does your organization audit your vendor access program?
Like any business process, organizations should audit their vendor access programs regularly to ensure compliance with internal policy as well as any relevant external regulations. Regardless of whether an audit is internal or external to the organization, the vendor access program should make it easy to audit.
The organization should document every process and workflow. Logs retained should include not only vendor activity itself, but also how an organization manages changes to configuration to enable vendor access.
7. Automation
How does your organization automate vendor access workflows?
Manual workflows slow down business velocity and introduce human error. An ideal vendor access program should include plenty of automation for everything from assessments to authentication and access control onboarding to the ongoing monitoring and analysis of vendor activity.
In its most basic form, ticketing and workflow automation tools can be used to streamline repetitive processes. For example, tools like Service Now or Jira can move tickets through a consistent set of stages for vendor assessments, onboarding, and offboarding, as well as integrate with existing tooling for authentication and access control.
Four Crucial Vendor Access Program Tips
Along with following the seven As, be sure to avoid the following five common vendor access mistakes.
Treat Vendor Access as a Program, Not a Project
Many organizations make the mistake of treating each vendor as a one-off project when securing vendor access should be a program unto itself with clear ownership and clearly defined processes, procedures, and policies in place.
Remember Vendor Access Management Is a Continuous Process
Never treat vendor access as a one-time event. The seven elements listed above make up a cycle of activities that should be executed continuously over time.
Find the Right Talent
Even with the right budget and security architecture to address these challenges, improperly staffing the program can introduce more risk than it mitigates. Vendor access ultimately requires trained security experts and analysts to properly implement and manage most parts of the program.
Integrate IT and Security
A robust vendor access strategy requires a cross-disciplinary integrated program across IT & Security. Operating independently leads to gaps in responsibilities.
Conclusion
A robust vendor access program is critical for preventing data breaches and reducing risk. Defining your vendor access strategy and forming a robust vendor access program requires assessments, authentication and identity management, access control, activity monitoring, alerts and analysis, auditing and reporting, and automation. So as you can see, building your program can be a complex and challenging process. However, if you follow all seven elements described in this document, you will be well on your way to achieving the secure and effective vendor access program you need.
About Oort
Oort makes cloud-hosted vendor and third-party access and risk management fast, easy, and secure with end-to-end consistency, control, and visibility. The Oort B2B Security Fabric is a turnkey vendor access platform that securely connects mid- to enterprise-size organizations with their vendors, suppliers, third-parties, and partners.
Learn more at https://oort.io or contact us directly at matt@oort.io.